I've resulted into a pretty similar setup.
We use SOPS and the encrypted .env file is stored in VCS. The key is stored in 1password with instructions on where to stuff it on your machine. Then you just decrypt the .env file and you're off to the races.
For anyone new to SOPS like I was - https://github.com/getsops/sops